Cyber Essentials: UK Certification for SMBs
Cyber Essentials is a UK government-backed certification for baseline cybersecurity. Understand the five controls, certification levels, and why companies serving UK clients should consider it.
A certification designed for small businesses
Most cybersecurity frameworks feel like they were written by enterprises, for enterprises. They assume you have dedicated security teams, compliance departments, and unlimited budgets for tools.
Cyber Essentials is refreshingly different.
Developed by the UK's National Cyber Security Centre (NCSC), Cyber Essentials is specifically designed to help small and medium businesses protect themselves against the most common cyberattacks. It's achievable, affordable, and increasingly recognized by customers and partners.
If you do business in the UK—or want to—Cyber Essentials should be on your radar.
What Cyber Essentials covers
Cyber Essentials focuses on five technical control areas. These aren't arbitrary—they're specifically chosen to protect against the vast majority of common cyber attacks:
1. Firewalls
Control network traffic between your organization and the internet:
- Boundary firewalls or equivalent protection
- Changed default credentials
- Blocking of inbound connections by default
- Documented approval for any open ports
- Personal firewall software on mobile devices
Why it matters: Firewalls are your first line of defense against external attacks. Proper configuration prevents most opportunistic intrusions.
2. Secure configuration
Ensure systems are configured securely:
- Remove or disable unnecessary software
- Change default passwords
- Disable auto-run features
- Remove unnecessary user accounts
- Implement password policies
Why it matters: Default configurations are known to attackers. Secure configuration removes easy entry points.
3. User access control
Manage user accounts and privileges:
- Unique user accounts (no shared accounts)
- Grant minimum necessary access
- Secure authentication methods
- Regular review and removal of unnecessary accounts
- Administrative account restrictions
Why it matters: Compromised credentials are the most common attack vector. Limiting access limits damage.
4. Malware protection
Protect against malicious software:
- Anti-malware software on all endpoints
- Regular signature updates
- Prevent execution from untrusted sources
- Sandboxing or content analysis for risky file types
Why it matters: Malware—ransomware, trojans, spyware—causes direct business harm. Active protection is essential.
5. Security update management
Keep software up to date:
- Patch operating systems within 14 days of critical updates
- Patch applications within 14 days of critical updates
- Remove unsupported software
- Licensed and supported software only
Why it matters: Known vulnerabilities are the easiest attack target. Timely patching closes these gaps.
The two certification levels
Cyber Essentials offers two levels of certification:
Cyber Essentials (Basic)
What it is: Self-assessment certification
Process:
- Complete an online self-assessment questionnaire
- Your answers are reviewed by an accredited body
- If requirements are met, certification is issued
Cost: Approximately £300–£600
Time to complete: Can be completed in a single day if you're already compliant
What it proves: You've assessed your own controls and declared compliance
Best for: Small businesses that need a quick, affordable certification and are confident in their controls
Cyber Essentials Plus
What it is: Independently verified certification
Process:
- First, achieve Cyber Essentials basic
- Then undergo hands-on technical assessment
- Assessors verify controls through testing
- Certification issued upon successful assessment
Cost: Typically £1,500–£5,000+ depending on organization size
Time to complete: Assessment typically takes 1–3 days; plus preparation time
What it proves: An independent assessor has verified your controls work in practice
Best for: Organizations that need stronger assurance, work with larger customers, or handle sensitive data
Why UK customers increasingly require Cyber Essentials
Government contracts
Since 2014, UK government contracts involving the handling of sensitive information require Cyber Essentials. If you want to work with the UK public sector, this is often mandatory.
Supply chain requirements
Large UK organizations are increasingly requiring suppliers to hold Cyber Essentials certification. This is driven by:
- Regulatory pressure
- Insurance requirements
- High-profile supply chain attacks
- General security awareness
Insurance benefits
Some cyber insurance providers offer discounts or require Cyber Essentials as a baseline. It demonstrates you've implemented basic security hygiene.
Customer confidence
For B2B sales in the UK, Cyber Essentials certification provides immediate credibility. It's a recognized standard that customers understand.
Cyber Essentials for US and international companies
Even if you're not UK-based, Cyber Essentials may be relevant:
If you have UK customers
UK organizations may require supplier certification. Having Cyber Essentials makes sales conversations easier and removes friction from procurement.
If you're expanding to the UK market
Proactive certification demonstrates commitment to the UK market and security awareness.
As a starting point for security
The five control areas are universally applicable. Achieving Cyber Essentials compliance creates a strong baseline regardless of your location.
Mapping to other frameworks
Cyber Essentials maps reasonably well to:
- CIS Controls IG1
- NIST CSF baseline controls
- ISO 27001 Annex A technical controls
Work done for Cyber Essentials supports progress toward other frameworks.
What Cyber Essentials doesn't cover
It's important to understand Cyber Essentials' scope:
It's technical, not organizational
Cyber Essentials focuses on five technical control areas. It doesn't address:
- Risk management processes
- Governance and oversight
- Vendor management
- Incident response
- Business continuity
- Employee training and awareness
For comprehensive security, you'll need additional policies and processes.
It's point-in-time
Certification reflects your posture at assessment time. You need ongoing processes to maintain compliance:
- Continued patching
- Access reviews
- Configuration monitoring
- New device onboarding
It's UK-focused
While internationally applicable in principle, the certification itself is primarily recognized in the UK. US customers, for example, may not know what it is.
Preparing for Cyber Essentials certification
Here's how to prepare efficiently:
Step 1: Understand scope
Cyber Essentials applies to your "in-scope" systems—typically:
- All user devices (desktops, laptops, mobile devices)
- All network equipment
- All internet-facing systems
- Cloud services you manage
Define your scope clearly before assessment.
Step 2: Gap assessment
Review each of the five control areas:
- Firewalls: Is your network properly protected? Are defaults changed?
- Secure configuration: Have you hardened systems? Removed unnecessary software?
- User access control: Are accounts unique? Is access appropriate?
- Malware protection: Is anti-malware deployed everywhere? Updated?
- Patching: Are you current on critical patches? Using supported software?
Identify gaps and create a remediation plan.
See: Questionnaire-Based Gap Assessment
Step 3: Remediate gaps
Common remediation activities:
- Update firewall rules and change default credentials
- Remove unnecessary software and user accounts
- Implement MFA for cloud services
- Deploy anti-malware on all endpoints
- Apply outstanding patches
- Replace unsupported software
Step 4: Document policies
Certification requires evidence that you have defined practices. Policies should cover:
- Acceptable use
- Access control
- Password/authentication requirements
- Patching procedures
- Device management
See: How to Create Cybersecurity Policies
Step 5: Complete the assessment
For basic certification:
- Choose an accredited certification body
- Complete the self-assessment questionnaire
- Submit for review
- Address any questions from the assessor
- Receive certification
For Plus:
- Complete basic certification first
- Schedule on-site or remote assessment
- Assessors will test systems and verify controls
- Address any findings
- Receive Plus certification
Step 6: Maintain compliance
Certification is annual. To stay compliant:
- Continue patching within 14 days
- Review and update firewall rules
- Manage user accounts proactively
- Keep anti-malware current
- Remove unsupported software promptly
Frequently asked questions
How long is Cyber Essentials certification valid?
One year. You must recertify annually to maintain the credential.
Can I self-assess for Cyber Essentials Plus?
No. Plus requires independent verification by an accredited assessor. Only basic Cyber Essentials allows self-assessment.
What happens if I fail the assessment?
For basic: The certification body will explain which requirements aren't met. You can remediate and resubmit.
For Plus: You may need to address findings and undergo reassessment. Some assessors allow limited remediation during the assessment window.
Is Cyber Essentials enough for GDPR compliance?
Cyber Essentials covers some technical security measures relevant to GDPR, but GDPR is much broader—covering data governance, rights management, privacy notices, and more. Cyber Essentials is a good start but not complete GDPR coverage.
See: GDPR Compliance
How does Cyber Essentials compare to ISO 27001?
| Factor | Cyber Essentials | ISO 27001 |
|---|---|---|
| Scope | 5 technical controls | Comprehensive ISMS |
| Approach | Prescriptive | Risk-based |
| Certification | Yes (basic + Plus) | Yes |
| Cost | Low (£300–£5K) | Higher (£10K–£50K+) |
| Time to certify | Weeks | Months to year |
| Maintenance | Annual recertification | Surveillance audits |
Cyber Essentials is a starting point; ISO 27001 is comprehensive. Many organizations start with Cyber Essentials and progress to ISO 27001.
See: ISO 27001 Compliance
Does Cyber Essentials apply to cloud services?
Yes. Cloud services you manage (IaaS, some PaaS) are in scope. You're responsible for your configuration, access controls, and patching where applicable. SaaS services where the vendor manages everything may be out of scope, but you're still responsible for access control and secure usage.
Where CyberPolicify fits
Cyber Essentials requires both technical controls and documented policies. CyberPolicify helps with the documentation side:
Cyber Essentials-aligned policies
Generate policies that directly support the five control areas:
- Firewall and network security policy
- System hardening and secure configuration policy
- Access control and authentication policy
- Malware protection policy
- Patch management policy
Gap assessment
Run assessments against Cyber Essentials requirements to identify what's missing before you apply for certification.
Evidence documentation
Create the documentation assessors expect to see—policies, procedures, and control descriptions that demonstrate your security practices.
Cross-framework efficiency
If you're also targeting CIS Controls, NIST CSF, or ISO 27001, see how your Cyber Essentials work contributes to broader compliance goals.
Small business focus
Cyber Essentials is designed for SMBs. So is CyberPolicify. We don't assume you have a compliance team or an enterprise budget.
Get certified faster. Maintain compliance easier. Focus on your business while we help with the paperwork.
Generate documentation mapped to frameworks
Start with policies and procedures aligned to the framework, then close gaps with a clear plan.